Login
Login package provides comprehensive login authentication logic and related UI interfaces. It is designed to simplify the process of adding user authentication to QOR5-based backend development project.
In QOR5 admin development, we recommend using github.com/qor5/admin/login, which wraps github.com/qor5/x/login to keep the theme of login UI consistent with Presets and provide more powerful features.
Basic Usage
The example shows how to enable both username/password login and OAuth login.
Username/Password Login
To enable Username/Password login, the UserModel needs to implement the UserPasser interface. There is a default implementation - UserPass.
Change Password
There are three ways to change the password:
1. Visit the default change password page.
2. Call the OpenChangePasswordDialogEvent event to change it in dialog.
3. Change the password directly in Editing.
MaxRetryCount
By default, it allows 5 login attempts with incorrect credentials, and if the limit is exceeded, the user will be locked for 1 hour. This helps to prevent brute-force attacks on the login system. You can call MaxRetryCount to set the maximum retry count. If you set MaxRetryCount to a value less than or equal to 0, it means there is no limit of login attempts, and the user will not be locked after a certain number of failed login attempts.
TOTP
There is TOTP (Time-based One-time Password) functionality out of the box, which is enabled by default.
Google reCAPTCHA
Google reCAPTCHA is disabled by default.
OAuth Login
OAuth login is based on goth.
OAuth login does not require a UserModel. If there is a UserModel, it needs to implement the OAuthUser interface. There is a default implementation - OAuthInfo.
Session Secure
The SessionSecurer provides a way to manage unique salt for a user record. There is a default implementation - SessionSecure.
SessionSecurer helps to ensure user security even in the event of secret leakage. When a user logs in, SessionSecurer generates a random salt and associates it with the user's record. This salt is then used to sign the user's session token. When the user makes requests to the server, the server verifies that the session token has been signed with the correct salt. If the salt has been changed, the session token is considered invalid and the user is logged out.
Hooks
Hooks are functions that are called before or after certain events.
The following hooks are available:
BeforeSetPassword
Extra Values
- password
This hook is called before resetting or changing a password. The hook can be used to validate password formats.
AfterLogin
This hook is called after a successful login.
AfterFailedToLogin
Extra Values
- login error
This hook is called after a failed login. Note that the user parameter may be nil.
AfterUserLocked
This hook is called after a user is locked.
AfterLogout
This hook is called after a logout.
AfterConfirmSendResetPasswordLink
Extra Values
- reset link
This hook is called after confirming the sending of a password reset link. This is where the code to send the reset link to the user should be written.
AfterResetPassword
This hook is called after a password is reset.
AfterChangePassword
This hook is called after a password is changed.
AfterExtendSession
Extra Values
- old session token
This hook is called after a session is extended.
AfterTOTPCodeReused
This hook is called after a TOTP code has been reused.
AfterOAuthComplete
This hook is called after an OAuth authentication is completed.
Customize Pages
To customize pages, there are two ways:
1. Each page has a corresponding xxxPageFunc to rewrite the page content. You can easily customize a page by copying the default page func and modifying it according to your needs.
2. Only mount the API and serve the login pages manually.
When you want to embed the login form into an existing page, this way can be very useful.